Adventures in Russian Malware

I just posted an analysis of a pcap file from a political figure. While I expected to find targeted malware tat was possibly associated with political activities, I found a bunch of Russian/Ukrainian malware. What I found interesting, and which seems to match what key security community folks are seeing (here and here), is a “bundling” of malware. In this case, a Black Energy bot was bundles with with the “Oficla/Sasfis” Trojan downloader as well as RogueAV (Win32.FakeScanti).

Another interesting issues was the use of Chinese IP addresses by the Russian malware (which given the political figure whose computer was infected, Chinese IP addresses were contextually relevant). This is certainly not new, (see here, here etc…) but I think it hits home the point that simply relying on GeoIP to determine attribution and/or motivation is misguided.

I tried to link part of this operation to someone who appears to be some sort of “middleman” who propagates a variety of malware. There are a variety of posts on forums by “rundll32” in which he advertises an “affiliate program” that “is not detected by any antivirus.” In the ad he uses the domain rundll32.ru which is registered to “rundll32@yandex.ru” which was also used by Alexander V. Prokhorov (or Prochorov) in a paper submitted at Moscow State University.

I find the relationships between the various groups and how different individuals and groups within the malware ecosystem get ultimately paid very interesting.

One comment.

Go to pay-per-install.org and TAKE A WIDE LOOK

guys, you are just like teenagers :-)))) hope, you will realize something more important than adware networks